Kimpton Hotels Investigate Card Breach Claims

Kimpton Hotels is a boutique hotel brand, including 62 properties across the United States. The boutique chain is currently investigating reports of a credit card breach across multiple locations.

On July 22, KrebsOnSecurity reached out to San Francisco-based Kimpton after hearing from three different sources in the financial industry about a pattern of card fraud that suggested a card breach at close to two-dozen Kimpton hotels across the country.

Kimpton responded to Krebs by issuing and posting the following statement:

“Kimpton Hotels & Restaurants takes the protection of payment card data very seriously. Kimpton was recently made aware of a report of unauthorized charges occurring on cards that were previously used legitimately at Kimpton properties. As soon as we learned of this, we immediately launched an investigation and engaged a leading security firm to provide us with support.”

“We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements. If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”

Assuming a breach at Kimpton is confirmed, the company would join a long list of hotel brands that have acknowledged card breaches over the last year, including Trump Hotels, Hyatt, Starwood and the Hilton Hotels, all of which we reported here.

“Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.” According to Brian, of KrebsOnSecurity.

Thieves can then sell the data to criminals who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores.

Here are some key recommendations from our team of experts for ensuring your POS systems are secure and safe: